summaryrefslogtreecommitdiff
path: root/keystore/java/android/security/KeyStoreCipherSpi.java
diff options
context:
space:
mode:
Diffstat (limited to 'keystore/java/android/security/KeyStoreCipherSpi.java')
-rw-r--r--keystore/java/android/security/KeyStoreCipherSpi.java41
1 files changed, 20 insertions, 21 deletions
diff --git a/keystore/java/android/security/KeyStoreCipherSpi.java b/keystore/java/android/security/KeyStoreCipherSpi.java
index 917f71678e41..20dd52435dca 100644
--- a/keystore/java/android/security/KeyStoreCipherSpi.java
+++ b/keystore/java/android/security/KeyStoreCipherSpi.java
@@ -22,6 +22,7 @@ import android.security.keymaster.KeymasterDefs;
import android.security.keymaster.OperationResult;
import java.security.AlgorithmParameters;
+import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
@@ -298,38 +299,36 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry
mAdditionalEntropyForBegin = null;
if (opResult == null) {
throw new KeyStoreConnectException();
- } else if ((opResult.resultCode != KeyStore.NO_ERROR)
- && (opResult.resultCode != KeyStore.OP_AUTH_NEEDED)) {
- switch (opResult.resultCode) {
- case KeymasterDefs.KM_ERROR_INVALID_NONCE:
- throw new InvalidAlgorithmParameterException("Invalid IV");
+ }
+
+ // Store operation token and handle regardless of the error code returned by KeyStore to
+ // ensure that the operation gets aborted immediately if the code below throws an exception.
+ mOperationToken = opResult.token;
+ mOperationHandle = opResult.operationHandle;
+
+ // If necessary, throw an exception due to KeyStore operation having failed.
+ GeneralSecurityException e = KeyStoreCryptoOperationUtils.getExceptionForCipherInit(
+ mKeyStore, mKey, opResult.resultCode);
+ if (e != null) {
+ if (e instanceof InvalidKeyException) {
+ throw (InvalidKeyException) e;
+ } else if (e instanceof InvalidAlgorithmParameterException) {
+ throw (InvalidAlgorithmParameterException) e;
+ } else {
+ throw new RuntimeException("Unexpected exception type", e);
}
- throw mKeyStore.getInvalidKeyException(mKey.getAlias(), opResult.resultCode);
}
- if (opResult.token == null) {
+ if (mOperationToken == null) {
throw new IllegalStateException("Keystore returned null operation token");
}
- // The operation handle/token is now either valid for use immediately or needs to be
- // authorized through user authentication (if the error code was OP_AUTH_NEEDED).
- mOperationToken = opResult.token;
- mOperationHandle = opResult.operationHandle;
+
loadAlgorithmSpecificParametersFromBeginResult(keymasterOutputArgs);
mFirstOperationInitiated = true;
mIvHasBeenUsed = true;
mMainDataStreamer = new KeyStoreCryptoOperationChunkedStreamer(
new KeyStoreCryptoOperationChunkedStreamer.MainDataStream(
mKeyStore, opResult.token));
-
- if (opResult.resultCode != KeyStore.NO_ERROR) {
- // The operation requires user authentication. Check whether such authentication is
- // possible (e.g., the key may have been permanently invalidated).
- InvalidKeyException e =
- mKeyStore.getInvalidKeyException(mKey.getAlias(), opResult.resultCode);
- if (!(e instanceof UserNotAuthenticatedException)) {
- throw e;
- }
- }
}
@Override
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 19:14:54 +0000